Researchers have found three new malware families used in a widespread phishing campaign entrenched in financial crime.
On Tuesday, FireEye’s Mandiant cybersecurity team said the malware strains, dubbed Doubledrag, Doubledrop, and Doubleback, were detected in December 2020.
The threat actors behind the malware, described as “experienced and well-resourced,” are being tracked as UNC2529.
Organizations in the US, EMEA region, Asia, and Australia have, so far, been targeted in two separate waves.
Phishing messages sent to potential victims were rarely based on the same email addresses and subject lines were tailored to targets; in many cases, threat actors would masquerade as account executives touting services suitable for different industries — including defense, medicine, transport, the military, and electronics.
Over 50 domains, in total, were used to manage the global phishing scheme. In one successful attack, UNC2529 successfully compromised a domain owned by a US heating and cooling services business, tampered with its DNS records, and used this structure to launch phishing attacks against at least 22 organizations.
The lure emails contained links to URLs leading to malicious .PDF payloads and an accompanying JavaScript file contained in a .zip archive. The documents, fetched from public sources, were corrupted to render them unreadable — and so it is thought that victims might become annoyed enough to double-click the .js file in an attempt to read the content.
Mandiant says the .js file, that is heavily obfuscated, contains the Doubledrag downloader. Alternatively, some campaigns have used an Excel document with an embedded macro to deliver the same payload.
Upon execution, Doubledrag attempts to download a dropper as the second stage of the attack chain. This dropper, Doubledrop, is an obfuscated PowerShell script designed to establish a foothold into an infected machine by loading a backdoor into memory.
The backdoor is the final malware component, Doubleback, malware created in both 32-bit and 64-bit versions.
“The backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its [command-and-control] C2 server and dispatching them,” Mandiant notes. “One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines.”
There are some indicators that the malware is still in progress, as existing functionality will scan for the existence of antivirus products — such as those offered by Kaspersky and BitDefender — but even if detected, no action is taken.
Analysis of the new malware strains is ongoing.
“Although Mandiant has no evidence about the objectives of this threat actor, their broad targeting across industries and geographies is consistent with a targeting calculus most commonly seen among financially motivated groups,” the researchers say.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0